Skip to content

Legend shared deps update#260

Open
rafaelbey wants to merge 3 commits into
masterfrom
legend-shared-deps-update
Open

Legend shared deps update#260
rafaelbey wants to merge 3 commits into
masterfrom
legend-shared-deps-update

Conversation

@rafaelbey

Copy link
Copy Markdown
Contributor

No description provided.

rafaelbey and others added 3 commits July 3, 2026 13:14
…egister (#259)

* Add security remediation register for open Dependabot alerts

Inventories all 29 open critical/high/medium alerts, groups them into
ordered remediation waves with transitive-dependency rationale and
per-item blast radius, and documents deferred items blocked by the
Java 8 baseline. Intended to be executed one item per PR.

* Add CLAUDE.md and correct README JDK requirements

The enforcer plugin requires JDK 11/17/21/25 to build; compiled code
targets Java 8. README previously said JDK 8.

* V01: pin trivy-action to 0.35.0 by commit SHA (CVE-2026-33634)

* V02: bump hazelcast to 5.3.8 (CVE-2023-45859, CVE-2023-45860)

* V03: bump json-smart to 2.5.2 (CVE-2021-31684, CVE-2023-1370)

* V04: bump jetty to 9.4.57.v20241219 (CVE-2024-13009 and 4 medium CVEs)

* V05: bump test-scope spring deps (CVE-2023-20883)

spring-boot-autoconfigure 2.3.3 -> 2.7.18, spring-test 4.3.24 -> 5.3.39.
spring-test 5.x mock-web requires spring-web for cookie handling; added
as a test dependency where spring-test is used.

* V06: bump jackson family to 2.18.8 and snakeyaml to 2.3

Closes 12 alerts including the snakeyaml Constructor RCE (CVE-2022-1471)
and six jackson-databind highs. Imports jackson-bom so the datatype/
module/jaxrs jars Dropwizard pulls transitively stay on one version.

* V07: bump nimbus-jose-jwt to 9.37.4 (CVE-2023-52428, CVE-2025-53864)

Build and tests green with oauth2-oidc-sdk 8.22, including the mock-IdP
token renewal test. Manual OIDC login verification against a real IdP
still recommended before release.

* Extract dependency management into legend-shared-bom

Moves all version properties and dependencyManagement from the root pom
into a published BOM module that Legend applications can import to stay
aligned with the versions (including the security bumps) managed here.
Documented in README; CVE-driven exclusions propagate to importers.

* Reconcile WhiteSource findings from PR #259 in remediation register

The 4 'new' findings are known unfixable items re-attributed to the
bumped jars, not regressions: CVE-2026-2332 (D1, no 9.4.x fix exists on
Central despite Mend citing 9.4.60), CVE-2026-54515 (D4, no 2.x patch),
CVE-2024-6763 (D5) and CVE-2025-11143 (new D6), both Jetty-12-only.

* Document HeroDevs NES option for the unfixable Jetty 9.4 CVEs

Mend's suggested 9.4.60 is a commercial HeroDevs NES release (private
registry, same GAV). Not adoptable upstream (Central-resolvable deps
required; FINOS project), but documented as a deployer-side override
for organizations needing CVE-2026-2332/CVE-2025-11143 closed before
the Phase-2 migration.
@rafaelbey rafaelbey requested a review from a team as a code owner July 3, 2026 17:38
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

Workflow Telemetry - Build CI / Build

Workflow telemetry for commit c76d7da1710308ed48233402424289428347b1a7
You can access workflow job details here

Step Trace

gantt
	title Build
	dateFormat x
	axisFormat %H:%M:%S
	Set up job : milestone, 1783100295000, 1783100297000
	Checkout repo : 1783100297000, 1783100298000
	Cache Maven dependencies : 1783100298000, 1783100302000
	Set up JDK : 1783100302000, 1783100302000
	Configure git : 1783100302000, 1783100302000
	Download deps and plugins : 1783100302000, 1783100313000
	Collect Workflow Telemetry : 1783100313000, 1783100313000
	Build + Test : 1783100313000, 1783100374000
	Upload Test Results : 1783100374000, 1783100376000
	Upload CI Event : 1783100376000, 1783100377000

Loading

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

Test Results

20 files  ±0  20 suites  ±0   22s ⏱️ ±0s
83 tests ±0  83 ✔️ ±0  0 💤 ±0  0 ±0 

Results for commit c76d7da. ± Comparison against base commit 2bd4a69.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants